1 (edited by asmartin 2013-12-22 19:49:18)

Topic: ZyXEL P-2812HNU-F1 Unbranding Process

Hi ALL.

I finally got it: I unbranded or changed the firmware from my ZyXEL P-2812HNU-F1 router. Now working with this router and firmware version 3.11(TUJ.0)C0 I previously downloaded from ZyXEL FTP server.

All you need is:

  1. Philips screwdriver


  2. USB to TTL FTDI cable (eBay) & Drivers


  3. RJ45 LAN cable


  4. Tera Term Pro for Windows®


  5. TFTPD32 , a TFTP Server


  6. Files:


The procedure is as follows:


  1. Unmount front panel of ZyXEL P-2812HNU-F1 using screwdriver


  2. Connect FTDI TTL cable (just GND, TX and RX cables are needed) to the router board as indicated in the following image



                        http://imageshack.us/a/img823/4554/0cpw.jpg


                        http://imageshack.us/a/img11/4401/3n2x.jpg


         
    Observe GND pin as reference pin (isolated pin).


  3. Connect FTDI USB cable to PC and install drivers.


  4. Connect LAN1 port of router to your PC LAN port usign RJ45 cable.


  5. Configure PC LAN adapter:


    • IP Address: 192.168.1.X (where X is in the range of 2 to 255)


    • Subnet mask: 255.255.255.0


  6. Start Tera Term Pro and configure serial port:


    • Port: (see serial ports in Computer Management/Device Management)


    • Baud rate: 115200


    • Data: 8 bit


    • Parity: none


    • Stop: 1 bit


    • Flow control: none


  7. Power up the router andstop start up sequence by pressing any key.


    You should see ZyU console like


         ZHAL>_


    Note: All AT commands (ATSH, ATSE, ATEN, ...) will be executed in Tera Term Pro, that is in ZyU console.


  8. Execute TFTPD32


    Configure to bind TFTP server to PC LAN port (192.168.1.X)


    Copy bootbase file 304TUJ.bm and frimware file 311TUJ0C0.bin to TFTP Base Directory folder (where send/receive files are stored)


  9. Execute ATSH command


    Take note of Serial number and First MAC address values


  10. Execute ATSE P-2812HNUL-F1 command


    Where P-2812HNUL-F1 is the x argument of ATSE command.


    You will obtain a 12 digit seed number


  11. Execute ZynPass.exe windows application


    Introduce previous seed number provided by ATSE command in seedNumber field, then push Generar button and obtain the password for ATEN command in Password field



              http://imageshack.us/a/img577/1306/artl.png



  12. Execute ATEN 1,password command


    Where password is the password we previously obtained in step 11.


    This command activates Enable Debug Falg.


  13. Execute ATBT 1 command.


    This command unlocks block0 in flash memory where bootloader resides.


  14. Execute ATUB 304TUJ.bm command.


    This command uploads bootbase file from TFTPD Base directory folder to the router, erases the block0 flash and writes new bootbase


  15. Execute ATUR 311TUJ0C0.bin command


    This command uploads firmware file from TFTP Base directory folder to the router, erases the flash and writes new firmware


  16. Restart the router (switch off and then switch on)



Now it's necessary to customize the serial number and the MAC address to match label in the router.


  1. Repeat steps 7 and 13 to get access to ZyU console


    Observe Debug Falg is enable in the new boobase, by default.


  2. Execute ATCB command


    This command copies manfacturer data from flash rom to working buffer (RAM)


  3. Execute ATSN SerialNumber command


    Where SerialNumber is the Serial number obtained in step 9


    This command changes serial number in working buffer to the right one in the router label/stick


  4. Execute ATWM MACAddress command


    Where MACAddress is the First MAC address obtained in step 9


    This command changes MAC address in working buffer to the right one in the router label/stick


  5. Execute ATSB command


    This command saves customized data in working buffer to flash rom.



Available AT commands in ZyU console should be:

ZHAL> ATHE
ATBT    x         block0 write enable (1=enable, 0=disable)
ATWM    x         set MAC address in working buffer
ATEN    x,(y)     set BootExtension Debug Flag (y=password)
ATSE    x          show the seed of password generator
ATWZ    a(,b,c)   write ZyXEL MAC addr, Country code, EngDbgFlag
ATCB              copy from FLASH ROM to working buffer
ATCL              clear working buffer
ATSB              save working buffer to FLASH ROM
ATBU              dump manufacturer related data in working buffer
ATSH              dump manufacturer related data in ROM
ATCO    x         set country code in working buffer
ATFL    x         set EngDebugFlag in working buffer
ATVD    x         set vendor name in working buffer
ATPN    x         set product name in working buffer
ATFE    x,y,...   set feature bits in working buffer
ATSN    x         set serial number in FLASH ROM
ATTL              MRD_CERT & ROM-D partition utility
ATGO              boot up whole system
ATGU              go back to U-Boot command line mode
ATRT    (x,y,z,u) ATRT RAM read/write test (x=level, y=start addr, z=end addr, u=iterations
ATMI    x         Enable/Disable model ID checking (1=enable, 0=disable)
ATUR    x         upgrade RAS image (filename)
ATUB    x         upgrade ZyU-Boot image (filename)
ZHAL>

2 (edited by cornelus2009 2013-12-21 20:44:12)

Re: ZyXEL P-2812HNU-F1 Unbranding Process

oau, bravo!

nice tutorial.

Burlacu Cornel
Romania

3 (edited by asmartin 2013-12-22 09:10:44)

Re: ZyXEL P-2812HNU-F1 Unbranding Process

Thanks cornelus2009.

Now I'm investigating and looking for information about TUJ.3 firmware to see if it comes from any ISP or is the most advanced firmware from ZyXEL for this router.

I will purcahse a new router (maybe in amazon) and study it firmware.

Advice: use WinSCP to access router's file system after SFTP service is activate.

I can see 3.11(TUJ.0)C0 comes with a Telenor user folder (in /home folder) so maybe this router was a custom design for Telenor in first approach, later for public customers.

I will try to improve with customized images.

Just another way to help users to customized their routers.

Any suggestion will be welcome.

I enjoy helping

Re: ZyXEL P-2812HNU-F1 Unbranding Process

asmartin,

Very well explained doc! For sure i gonna test this one.
(still waiting for my TTL serial cable : )


Questions:

Point 10:
Are you sure about: Execute ATSE P-2812HNUL-F1 command?
Because the 'L' version is another version of the P-2812-router range?

Point 16:
Isn't the router rebooting by itself after downloading new firmware?


Remarks:

Point 11:
Found also online calculator for (other) ZyXEL machines: http://www.tonycool.es/zyxel/zynpass_en.htm

Just for u to change in original doc:
- screwdriver instead of screewdriver (multiple)


Regards, DG.

5 (edited by asmartin 2013-12-22 11:45:46)

Re: ZyXEL P-2812HNU-F1 Unbranding Process

Hi DGDodo.

Thank you.

I will try to answer point by point.

Point 10:

Yes, it works in most routers, it's just a "word" I had when I look to GPL sources and found this "jocking" parameter just needed to avoid us to use ATSE command, so it has no meaning more than being "secret". It could be "smile" or "wierd" or any strange word, not  related to model. Have a look to this link. Cornelus2009 found DSL-2492HNU-L3v2  as x parameter for his P-2812HNU-F3 (from Telenor).

Point 16:

Yes router reboots but I prefer to force manually rebooting after flashing process to ensure all memories and parameters are actually restarted in the router. Maybe this step could be avoided, but also defines an "end point" for this procedure, because it's not necessary to load customized MAC and serial numbers too.

Point 11:

I used the ZynPass.exe, but you can use any password generator like that from Antonio (Tony). Doesn't matter. Indeed, if you don't work under Windows, you need another access like that of Tony to calculate the password, best suitable for web broser.

Maybe you could compile the code for new calculator in linux and include it in the procedure ... just have a look to this code from xiios@hot.ee and the procedure.

There is also a linux password generator at linux password generator. Thanks to cornelus2009. You only need to execute this program using ./zyxel in same folder it resides.


Thanks for your advice regarding "double ee", I'm from Spain, and I need to correct a lot of my english big_smile.

All suggestions will be welcome. We need to improve the procedure as much as possible.

Re: ZyXEL P-2812HNU-F1 Unbranding Process

asmartin,

Clear answers for me, THX!

I bought myself the TTL serial converter on ebay, below 1 euro!
Although not yet received it, already have made some plans for the ZyXEL that I wanna fix.

1st:
Run your fix process to make the box running 'normal' again.
It now only boots but does not give an ipadres, so i don't have a clue if it can even be fixed (need the TTL serial converter).

2nd:
Reverse analyse working environment, so I (we) can rebuild OpenWRT to run on these boxes.
Don't need the ADSL functionality, only WAN, Wifi and LAN, 4x1Gbps would be perfect!
Hopefully WAN can run 1Gbps as well, otherwise I only need the 1Gbps hub and Wifi.

Hopefully waiting on my TTL serial cable
Also to fix another (branded) router, TG787v.

Regards, DG.
'Every day, everybody should learn 1 thing', quote of myself.

Re: ZyXEL P-2812HNU-F1 Unbranding Process

Here is web calculator for ATEN password:

      ATEN Password Calculator

Re: ZyXEL P-2812HNU-F1 Unbranding Process

I'm actually sort of a newbie when it comes to this, so I was just wondering;
1. does this process enable the development for third party firmware on the p2812 ? - if so, will this happen?

2. does the unbranding of this device give me any features that i dont already have with the firmware that is on it? (is the  3.11(TUJ.0)C0 firmware "better" than the 'telenor'-one i have now?)

Re: ZyXEL P-2812HNU-F1 Unbranding Process

Problems. First, the ATSE 'password' for my box is P2812HNU-F1

Flashing of 304TUJ.bm went well, but flashing of the bin file failed

ZHAL> ATBT 1
ZHAL> ATUB 304TUJ.bm
Using vr9 Switch device
TFTP from server 192.168.1.33; our IP address is 192.168.1.1
Filename '304TUJ.bm'.
Load address: 0x80000000
Loading: T T T T T checksum bad
checksum bad
T ###########################
done
Bytes transferred = 135168 (21000 hex)
nand erase offset 0 length 20000
Erasing at 0x0 -- 100% complete.
OK
ZHAL> ATUR 311TUJ0C0.bin
atur from 0x80000000 load 311TUJ0C0.bin
Using vr9 Switch device
TFTP from server 192.168.1.33; our IP address is 192.168.1.1
Filename '311TUJ0C0.bin'.
Load address: 0x80000000
Loading: #################################################################
         #################################################################
<snip>
         #################################################################
         ###
done
Bytes transferred = 18984768 (121af40 hex)
verify zboot ok
FW package is not correct

Don't know what's wrong here. Can you provide an MD5 sum?

Further there is something funny with writing the serial number. On executing ATSN the box rebooted:

ZHAL> ATCB
ZHAL> ATSN S110Y28067074
Can't write to protected Flash
ZHAL> ATBT 1
ZHAL> ATSN S110Y28067074
nand erase offset 0 length 20000
Erasing at 0x0 -- 100% complete.
OK

ROM VER: 1.0.5
CFG 06
NAND
NAND Read OK
DDR Access auto data-eye tuning Rev 0.3a
DDR size from 0xa0000000 - 0xa7ffffff
DDR check ok... start booting...

Meanwhile the exchange of the bootbase succeeded, and so did the change of the serial number. But changing MAC address failed. Old ATSH:

ZLD   Version          : V3.10(TUE.1)
Bootbase Version       : V3.06|03/31|2011(TUE)
Vender Name            : ZyXEL Communications Corp.
Product Model          : P-2812HNU-F1
Serial Number          : S110Y28067074
First MAC Address      : CC5D4E0A8B78
Last MAC Address       : CC5D4E0A8B7F
MAC Address Quantity   : 08
Default Country Code   : FD
Boot Module Debug Flag : 00
RootFS      Checksum   : 0000f711
Kernel      Checksum   : 00005e3a
RomFile     Checksum   : 0000ab94
Main Feature Bits      : 00
Other Feature Bits     :
          06 00 00 02 19 01 00 ff-f8 00 00 00 01 00 00 00
          00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00

And current:

ZLD   Version          : V3.10(TUE.1)
Bootbase Version       : V3.04|04/01|2011(TUJ)
Vender Name            : ZyXEL Communications Corp.
Product Model          : P-2812HNUL-F1
Serial Number          : S110Y28067074
First MAC Address      : B0B2DC0A8B78
Last MAC Address       : B0B2DC0A8B7F
MAC Address Quantity   : 08
Default Country Code   : FD
Boot Module Debug Flag : 01
RootFS      Checksum   : 0000f711
Kernel      Checksum   : 00005e3a
RomFile     Checksum   : 0000ab94
Main Feature Bits      : 00
Other Feature Bits     :
          06 00 00 04 19 01 00 ff-f8 00 01 00 01 00 00 00
          00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00

The box is not bricked. As far as I can see nothing changed in the actual runmode.

10 (edited by asmartin 2013-12-28 21:18:32)

Re: ZyXEL P-2812HNU-F1 Unbranding Process

Hi Mijzelf

Yes, the box reboots after writting serial number, also happened to me smile

I changed the serial number and MAC in bootbase to avoid using the ones of OXO. I will restore original bm file in a few minutes. Please could you try ATUB again? and show us new log/output?

Maybe firmware is not right in dropbox, but it should be. You can download from zyxel ftp site and use that frim from zyxel site.

          P-2812HNU-F1_3.11(TUJ.0)C0.zip

Please report results.

Thanks in advance.

Re: ZyXEL P-2812HNU-F1 Unbranding Process

The bin file in the ZyXEL zip file has the same md5sum as the one from dropbox. So I guess there is something else wrong.

12 (edited by asmartin 2013-12-29 12:20:11)

Re: ZyXEL P-2812HNU-F1 Unbranding Process

Did you try new bootbase before firm upgrade?

Maybe disabling ID checking with ATMI 0 will help you.

Re: ZyXEL P-2812HNU-F1 Unbranding Process

Today, flashing succeeded directly. Yesterday after a power cycle I had to use the P2812HNU-F1 password, today it had to be P-2812HNUL-F1. Maybe my power cycle was too short, causing an incomplete reboot.

Now I have another problem, of course. There is no webinterface. Fortunately I can login as root, and get a real shell. The bootlog shows:

Can not find httpd /usr/apache2/bin/apachectl

And indeed that file lacks. There is no /usr/apache2 directory.

find / | grep apache

doesn't show anything.
I can start mini_httpd, but that doesn't help. The webinterface is redirected to http://192.168.1.1/login.cgi, which shows an empty page.

14 (edited by asmartin 2013-12-29 15:25:53)

Re: ZyXEL P-2812HNU-F1 Unbranding Process

Hi Mijzelf

ATSE parameter is in a file inside bootbase, and your bootbase changed to 3.04TUJ which has P-2812HNUL-F1. That's why it changed.

Did you upload 3.11TUJ0 bin file successfully with ATUR command?

Re: ZyXEL P-2812HNU-F1 Unbranding Process

Yes, sorry if that wasn't clear.

ZHAL> ATSH
ZLD   Version          : V3.11(TUJ.0)
Bootbase Version       : V3.04|04/01|2011(TUJ)
Vender Name            : ZyXEL Communications Corp.
Product Model          : P-2812HNUL-F1
Serial Number          : S110Y28067074
First MAC Address      : B0B2DC0A8B78
Last MAC Address       : B0B2DC0A8B7F
MAC Address Quantity   : 08
Default Country Code   : FD
Boot Module Debug Flag : 01
RootFS      Checksum   : 0000c2ac
Kernel      Checksum   : 000072d4
RomFile     Checksum   : 0000ab94
Main Feature Bits      : 00
Other Feature Bits     :
          06 00 00 04 19 01 00 ff-f8 00 01 00 01 00 00 00
          00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00

Re: ZyXEL P-2812HNU-F1 Unbranding Process

Mijzelf wrote:

Yes, sorry if that wasn't clear.

ZHAL> ATSH
ZLD   Version          : V3.11(TUJ.0)
Bootbase Version       : V3.04|04/01|2011(TUJ)
Vender Name            : ZyXEL Communications Corp.
Product Model          : P-2812HNUL-F1
Serial Number          : S110Y28067074
First MAC Address      : B0B2DC0A8B78
Last MAC Address       : B0B2DC0A8B7F
MAC Address Quantity   : 08
Default Country Code   : FD
Boot Module Debug Flag : 01
RootFS      Checksum   : 0000c2ac
Kernel      Checksum   : 000072d4
RomFile     Checksum   : 0000ab94
Main Feature Bits      : 00
Other Feature Bits     :
          06 00 00 04 19 01 00 ff-f8 00 01 00 01 00 00 00
          00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00

Well, html files are inside firmware file, so you shouldn't have an empty folder.

I used those files and works fine, no problem.

Maybe an issue with your browser?, try to cleanup your history folder in your web browser.

17 (edited by zerg 2013-12-30 00:22:42)

Re: ZyXEL P-2812HNU-F1 Unbranding Process

Mijzelf
you  have trouble with network connection to subj
it may be
eth cable with bad contact
bad contact on your eth card  lan port
bad connection between you lan card and sabj
hardware fail at 1 of your devices


try to use network hub-swich to avoid connection troubles and make stable all time connection between your devices while important operations via eth interface.

Re: ZyXEL P-2812HNU-F1 Unbranding Process

@zerg: I can login over telnet, and see (ps) that httpd is not running. Then I can start it manually

mini_httpd -C /etc/mini_httpd.conf

My browser then gives a blank screen, and something seems terribly wrong:

[user@localhost P2812HNU]$ telnet 192.168.1.1 80
Trying 192.168.1.1...
Connected to 192.168.1.1 (192.168.1.1).
Escape character is '^]'.
GET / HTTP/1.0

Connection closed by foreign host.
[user@localhost P2812HNU]$ 

So I guess I don't have a network problem.

Meanwhile I have found that a 'shared memory problem' seems to exist, whatever that may be. /var/log/syslog.log:

Jan  1 01:00:13 local1.info ccc_be: cccRdmInitNodeMemory(): Reading /var/rdm/config.rdm ...
Jan  1 01:00:13 local1.info ccc_be: cccRdmInitNodeMemory(): RDM file_size fda880
Jan  1 01:00:14 daemon.crit mini_httpd: socket :: - Address family not supported by protocol
Jan  1 01:00:14 daemon.info mini_httpd: cccRdmInitNodeMemory(): Reading /var/rdm/config.rdm ...
Jan  1 01:00:14 daemon.debug mini_httpd: GetUnpackSize(): GetUnpackSize b:80
Jan  1 01:00:14 daemon.debug mini_httpd: GetUnpackSize(): GetUnpackSize b:a8
Jan  1 01:00:14 daemon.debug mini_httpd: GetUnpackSize(): GetUnpackSize b:fd
Jan  1 01:00:14 daemon.debug mini_httpd: GetUnpackSize(): GetUnpackSize b:0 [last message repeated 4 times in 0 seconds]
Jan  1 01:00:14 daemon.info mini_httpd: cccRdmInitNodeMemory(): RDM file_size fda880
Jan  1 01:00:14 daemon.debug mini_httpd: cccRdmAllocShareMemory(): rdmSize:fda880
Jan  1 01:00:14 daemon.debug mini_httpd: cccRdmAllocShareMemory(): rdmkey:/var/rdm/config.rdm_0
Jan  1 01:00:14 daemon.debug mini_httpd: cccRdmAllocShareMemory(): keys:1628177458
Jan  1 01:00:14 daemon.debug mini_httpd: cccRdmAllocShareMemory(): ret:0
Jan  1 01:00:14 daemon.debug mini_httpd: rdmInit(): finish rdmCB:42c008
Jan  1 01:00:14 daemon.debug mini_httpd: cccRdmSearchChildNode(): enter name:InternetGatewayDevice.Layer3Forwarding
Jan  1 01:00:14 daemon.debug mini_httpd: cccRdmSearchChildNode(): enter name:Layer3Forwarding
Jan  1 01:00:14 daemon.err mini_httpd: cccRdmSearchObjNodeByName(): cannot find
Jan  1 01:00:14 daemon.err mini_httpd: rdmGetObjectByName(): cccRdmSearchObjNodeByName == NULL
Jan  1 01:00:14 daemon.debug mini_httpd: cccRdmSearchChildNode(): enter name:InternetGatewayDevice.WANDevice.1.WANDSLInterfaceConfig
Jan  1 01:00:14 daemon.debug mini_httpd: cccRdmSearchChildNode(): enter name:WANDevice.1.WANDSLInterfaceConfig
Jan  1 01:00:14 daemon.debug mini_httpd: cccRdmSearchChildNode(): enter name:1.WANDSLInterfaceConfig
Jan  1 01:00:14 daemon.debug mini_httpd: cccRdmSearchChildNode(): enter name:WANDSLInterfaceConfig
Jan  1 01:00:14 daemon.debug mini_httpd: cccRdmSearchChildNode(): enter name:InternetGatewayDevice.WANDevice.2.WANDSLInterfaceConfig
Jan  1 01:00:14 daemon.debug mini_httpd: cccRdmSearchChildNode(): enter name:WANDevice.2.WANDSLInterfaceConfig
Jan  1 01:00:14 daemon.debug mini_httpd: cccRdmSearchChildNode(): enter name:2.WANDSLInterfaceConfig
Jan  1 01:00:14 daemon.debug mini_httpd: cccRdmSearchChildNode(): enter name:WANDSLInterfaceConfig
Jan  1 01:00:14 daemon.debug mini_httpd: cccRdmSearchChildNode(): enter name:InternetGatewayDevice.WANDevice.3.WANDSLInterfaceConfig
Jan  1 01:00:14 daemon.debug mini_httpd: cccRdmSearchChildNode(): enter name:WANDevice.3.WANDSLInterfaceConfig
Jan  1 01:00:14 daemon.debug mini_httpd: cccRdmSearchChildNode(): enter name:3.WANDSLInterfaceConfig
Jan  1 01:00:14 daemon.debug mini_httpd: cccRdmSearchChildNode(): enter name:WANDSLInterfaceConfig
Jan  1 01:00:14 daemon.err mini_httpd: cccRdmSearchObjNodeByName(): cannot find
Jan  1 01:00:14 daemon.err mini_httpd: rdmGetObjectByName(): cccRdmSearchObjNodeByName == NULL
Jan  1 01:00:14 daemon.debug mini_httpd: cccRdmSearchChildNode(): enter name:InternetGatewayDevice.WANDevice.4.WANDSLInterfaceConfig
Jan  1 01:00:14 daemon.debug mini_httpd: cccRdmSearchChildNode(): enter name:WANDevice.4.WANDSLInterfaceConfig
Jan  1 01:00:14 daemon.debug mini_httpd: cccRdmSearchChildNode(): enter name:4.WANDSLInterfaceConfig
Jan  1 01:00:14 daemon.debug mini_httpd: cccRdmSearchChildNode(): enter name:WANDSLInterfaceConfig
Jan  1 01:00:14 daemon.err mini_httpd: cccRdmSearchObjNodeByName(): cannot find
Jan  1 01:00:14 daemon.err mini_httpd: rdmGetObjectByName(): cccRdmSearchObjNodeByName == NULL
Jan  1 01:00:15 local1.warning ccc_be: cccRdmInitNodeMemory(): Loading /var/pdm/config.xml ...
Jan  1 01:00:26 kern.warning kernel: topology change detected, propagating
Jan  1 01:00:26 kern.info kernel: port 1(eth0) entering forwarding state
Jan  1 00:00:44 local1.info RemoteManagement: TELNET Login Successfully from IP:192.168.1.33
Jan  1 00:00:44 user.info syslog: root login on 'pts/0'
Jan  1 01:02:17 kern.err kernel: Reboot on training timeout (120)!!!

The last line causes a reboot. Fortunately that can be prevented by killing some services.

Any idea where and how the config.xml is stored? And can you tell me how 'No DSL, use WAN port' is encoded? I wonder if somehow the lack of DSL interferes with httpd.

Re: ZyXEL P-2812HNU-F1 Unbranding Process

Mijzelf wrote:

can you tell me how 'No DSL, use WAN port' is encoded?

Never mind. Found it in /etc/init.d/S1_12xdsl:

echo ETHER >/var/wanmode 
mcputil modify A0 /var/wanmode

I wonder if somehow the lack of DSL interferes with httpd.

Nope.

20 (edited by Mijzelf 2013-12-30 12:10:22)

Re: ZyXEL P-2812HNU-F1 Unbranding Process

Mijzelf wrote:

Any idea where and how the config.xml is stored?

It's stored a TAG 60 with mcputil:

lzma -c config.xml -n config.lzma
mcputil modify 60 config.lzma

/Edit: And that solved my problem:

lzma -c /var/default-pdm/config.default.xml -n /tmp/config.lzma
mcputil modify 60 /tmp/config.lzma

Apparently my config was still the old one, and not compatible with the new firmware. Now I have to find how to re-enable root access.

Thanks, asmartin! smile

21 (edited by asmartin 2013-12-30 16:38:28)

Re: ZyXEL P-2812HNU-F1 Unbranding Process

Welcome Mijzelf. big_smile

But I think you're wrong.

config.xml is included in 311TUJ0C0.bin file at starting address 0x1084200h so it's not a problem of config file. It's default config file you can see as 311TUJ0C0.rom.

This is the extrated config file from .bin : extracted_config.rom

You can see same md5sum.

Did you try a factory reset?, just to see if it loads default config from flash, the one included in the .bin file.

Maybe you made any mistake when uploading files.

I recommend to repeat the process step by step, as indicated in the process.

Regards.

Re: ZyXEL P-2812HNU-F1 Unbranding Process

Yes, of course there is a version of config.xml in the firmware. I used this to save it as 'working copy'.
And I *tried* a factory reset, as I would have expected it to do the same thing. But maybe I tried the wrong actions. I kept the reset button pressed on power-on, until the box was booted, and I kept the reset button pressed for 10 seconds on a booted box. Both had not the desired result.

Maybe you made any mistake when uploading files.

Uhm. Really? In that case ATSH would have shown something different, wouldn't it?

ZHAL> ATSH
ZLD   Version          : V3.11(TUJ.0)
Bootbase Version       : V3.04|04/01|2011(TUJ)

BTW, with the wrong config I could just login as root over telnet with password 1234. With the right config I could not login as root.
BTW2, meanwhile the 'Product Model          : P-2812HNUL-F1' automagically changed to 'Product Model          : P-2812HNU-F1'.

23 (edited by asmartin 2013-12-31 09:18:22)

Re: ZyXEL P-2812HNU-F1 Unbranding Process

Factory reset is performed pushing the reset button until all lights flash at the same time (red/orange), which occurrs from 10 to 30 seconds after you push and keep reset. If not all lights flashes in orange/red color, then you only performed an ordinary reset., not factory one.

Not on power on, but once the system is powered on.

Right sequence: Power on the router, and wait until it finishes starting up. Then press and keep pressed reset button until all lights flash in orange/red color. Release reset button and power cycle again.

Re: ZyXEL P-2812HNU-F1 Unbranding Process

I wonder if my factory reset didn't work due to the fact that is didn't boot completely? Also, in this thread I found that writing the 310TUJ0C0.bin file can be followed by

try erase partition: offset:20000, size: 20000, write size: 21000
nand erase offset 20000 length 20000
Erasing at 0x20000 -- 100% complete.
OK
Rebuild sysconfig... nand erase offset 7420000 length aa0000

I looked in my logs, and found:

try erase partition: offset:20000, size: 20000, write size: 21000
nand erase offset 20000 length 20000
Erasing at 0x20000 -- 100% complete.
OK
default (ignore)
default (ignore)

So apparently on my box the script didn't bother to erase the old config.

Mijzelf wrote:

BTW, with the wrong config I could just login as root over telnet with password 1234. With the right config I could not login as root.

Meanwhile I have found why. The file /etc/shadow (and /etc/passwd) is stored in config.xml. Aparently the boot-up default password for root is 1234, which is overwritten by the config. But in my original situation the config didn't contain that files, as so root kept it's password.
When you change the root password using the passwd command, and then change the admin password in the webinterface, the new root password is stored in the config. smile

Re: ZyXEL P-2812HNU-F1 Unbranding Process

hi all

i have P-2812HNUL-F1 from Turkish ISP Provider TTNET.

i can not execute step 10. "Execute ATSE P-2812HNUL-F1 command"

when i want to execute this command system gives me "invalid argument"

i try this commands but no luck sad
ATSE P-2812-HNU-F1
ATSE P-2812-HNUL-F1
ATSE P-2812-HNU-F3
ATSE P-2812-HNUL-F3
ATSE DSL-2492HNU-L3v2

how can find my correct command?

sorry for my bad english.

Greets from Turkey